You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Hi, I've tried to fathom the logs of others and do all the necesary scans etc. but am still having re-directs from links in Google searches....even one of my 'Favourites' goes straight to a 'new' search engine...not always the same one. At this stage I have just run Crapcleaner, Ad-aware, Spybot and HJT...I am a bit frightened by the dialogue in some of the other posts and hope I can understand and carry out the instruction given....I get very nervous near the Start/run sequence....hoping you can help, thanks Tony. PS., please be gentle, I was born pre 1950!

BC AdBot (Login to Remove)

Copy and paste the following bold blue text below into Notepad.Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.==============================================Windows Registry Editor Version 5.00

Double-click ATF-Cleaner.exe to run the program.Click 'Select All' found at the bottom of the list.Click the 'Empty Selected' button.

If you use Firefox browser, do this also:Click Firefox at the top and choose 'Select All' from the list.Click the 'Empty Selected' button.NOTE:If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:Click Opera at the top and choose 'Select All' from the list.Click the 'Empty Selected' button.NOTE:If you would like to keep your saved passwords,please click 'No' at the prompt.

Save it to your desktop and run it. Click Next,then Install,then make sure "Run fixit" is checked and click Finish.The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and checkmark the following items:

Click 'Fix Checked'. Close HijackThis,and click OK to proceed.At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt,along with a new HijackThis log.Let me know how your pc is running now.

Please Note:Only do the following if you have connection problems after performing the above steps:Go to Start>Control Panel,and choose 'Network Connections'. Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'. Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'. Click OK twice,restart your computer.

Hi RichieUK, Everything seemed to go well....there was no O20 - AppInit_DLLs: 51.dll in the HJT log. Thanks so much for your help....and good luck in the cricket tomorro!

FixwareoutLast edited 1/30/2007Post this report in the forums please ...Prerun check»»»»» HKLM run and Winlogon System valuesC:\WINDOWS\System32\kdhye.exe will be moved to C:\WINDOWS\temp\kdhye.ren at reboot.

»»»»» System restartedReg Entries that were deleted ...Random Runs removed from HKLM ...

Please follow these instructions carefully.Launch/start up AVG Anti-Spyware.On the main page click the 'Update' tab,and then 'Start Update'.Once the updates have been installed,do the following:Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab. Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'. Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'. Make sure all browser and all Windows Explorer windows are closed before fixing:

Still in Safe Mode launch AVG Anti-Spyware.Click the 'Scanner' icon at the top.To start the scan click on 'Complete System Scan'. Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.Next click on 'Save Report'.Copy and paste that report into your next reply.The report can be found under the 'Reports' tab at the top.Close AVG Anti-Spyware when you've done.Reboot normally.

=====================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.* Once the short scan has finished, Click Options > Change settings* Choose the "Scan tab" and UNcheck "Heuristic analysis"* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.* When done, a message will be displayed at the bottom advising if any viruses were found.* Click "Yes to all" if it asks if you want to cure/move the file.* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.* Save the DrWeb.csv report to your desktop.* Exit Dr.Web Cureit when done.* Important!Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Post the AVG Anti Spyware report,the DrWeb.cvs report, and a new Hijackthis log into your next reply please.

RichieUK, Good news and bad news....boot-up and connection was OK, maybe a little sluggish...the bad news is if I type in www.radioyesteryear.com.au it goes to a search engine that wants to sell mortgage insurance or auto insurance or sex search engine. (I have removed the Radioyesteryear out of my Favourites.) As you can see the 02 and 016 entries have stayed. I closed IE7 when I deleted. but have not deleted them the 2nd time yet. Maybe further analysis is needed.

Run the F-Secure online virus/spyware scan using Internet Explorer:http://support.f-secure.com/enu/home/ols3.shtmlFollow the directions in the F-Secure page for proper Installation. Accept the License Agreement. Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:1.Scan whole System2.Scan all files3.Scan whole system for rootkits4.Scan whole system for spyware5.Scan inside archives6.Use advanced heuristicsOnce the download completes,the scan will begin automatically. The scan will take some time to finish,so please be patient. When the scan completes, click the ‘I want to decide item by item’ button. For each item found,Select ‘Disinfect’ and click ‘Next’.Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

===================

Run this online virus /spyware scan:Activescan using Internet Explorer.Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on Local Disks to start the scan When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Reboot,post both the above scan results and a new Hijackthis log into your next reply please.

Hi RichieUK, I didn't see your post #4 until I retuned after posting post #5. So I carried on and completed your Task in #4 post. DrWeb report, HJT report out of Safe Mode and Avg Report as follows....at this stage www.radioyesteryear.org.au NOT as previously posted .com.au, is still being redirected to eromans.com porn site search engine. The source file is :<html><head><title>Page not found</title><script>document.write("<frameset><frame src=\"http://64.28.178.4/index.php\"></frameset>");</script></head><body></body></html>

Reboot your computer into SAFE MODE" using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Hi RichieUK, Well, the Panda had trouble activating the Active X module..."Internet Explorer has to close ...sorry if you were in the middle of something"...etc. trying again(5th time). Panda's explanation is that I may be blocking the download, HDD lack of space (how much do they need? 9.05GB avail.) Still trying. F-Secure took 10-11hrs found 8 viruses found plus tracking cookies, I selected remove individualy and clicked next and it went through removing some and then quit saying "An error has occured....." etc. I have restarted it and it shows 2 viruses in the 1539 files scanned, so I guess it didn't remove them when asked to before the fatal error. I'm sorry I got excited yesterday....it has been a long day today. I've just noticed you have a new post...I was trying to work out how to show pictures of the failures. Not to worry I'll get on with the new instructions....thanks again for being so patient. Will I keep F-Secure going or terminate it? Tony

Cookie: ATDMT.com Cookie (General) more information...Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.Status: Deleted

Cookie: ad.yieldmanager Cookie (General) more information...Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.Status: Deleted

Warning [Backdoor.JustFun]:If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. Although your log is clean they should still be changed by using a different computer. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Create a new System Restore Point:Help if needed: Click on Start/All Programs/Accessories/System Tools/System Restore. In the System Restore window,click "Create a Restore Point" button,then click 'Next'. In the window that appears,enter a description,then click on "Create", then "Close". The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Please Note:Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6.0'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java versions.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Save it to your desktop and run it. Click Next,then Install,then make sure "Run fixit" is checked and click Finish.The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and checkmark the following items:

Click 'Fix Checked'. Close HijackThis,and click OK to proceed.At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt,along with a new HijackThis log.

Please Note:Only do the following if you have connection problems after performing the above steps:Go to Start>Control Panel,and choose 'Network Connections'. Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'. Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'. Click OK twice,restart your computer.